To avoid causing instability to an environment using high-throughput services, such as NSX or vSAN, it is important to use filters that limit the amount of traffic being captured when using the pktcap-uw tool in ESXi.

The focus for this article is to provide an example syntax for capturing packets that are being sent or received by multiple IPs (VMs) and to write the file to a shared datastore.

Use the --rcf (rich common filter) option along with host <IP> filters to limit the capture to only packets with any of the given IPs.

Substitute vmnicX, the IPs, the datastore, folder (if used), and filename where appropriate.  Add or remove additional IPs as-needed.  

pktcap-uw --uplink vmnicX --capture UplinkSndKernel,UplinkRcvKernel --rcf "host <#.#.#.1> or host <#.#.#.2> or host <#.#.#.3>" -o /vmfs/volumes/<datastore>/<folder>/<filename>.pcapng

(Ctrl+C to stop capture)

Example:

pktcap-uw --uplink vmnic0 --capture UplinkSndKernel,UplinkRcvKernel --rcf "host 192.168.0.1 or host 192.168.0.2 or host 192.168.0.3" -o /vmfs/volumes/MyDatastore/MyFolder/MyFilename.pcapng

For more information on pktcap-uw, see: pktcap-uw Options for Filtering Packets and Packet capture on ESXi using the pktcap-uw tool.

When using the --rcf option, obey the following limitations.

• Do not filter VLAN packets using the --rcf option. To trace VLAN or VXLAN use the pktcap-uw --vlan or --vxlan options.
• Do not filter an IP broadcast address.
• Do not use --rcf on ENS ports.

To learn more about filtering network traffic with the --rcf option, refer to the documentation for pcap filter expressions using command-line packet analyzers such as tcpdump. See pcap-filter - packet filter syntax.